Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SU25 step 2: tcodes from MENU or from S_TCODE

former_member577095
Participant
0 Kudos
196

Hi all,

I am using SU25 step 2 a,b,c,d to migrate roles (3.1 to 4.6). The main logic of SU25 step 2 is that table USOBT_C is used to insert new auth values. To do this, transaction codes are used to SELECT entries from USOBT_C.

Now the dilemma: which transaction codes are used ? The ones from AGR_TCODES (this means MENU ROLE) or from authorizations under S_TCODE of AGR_1251 (this means authorization tree).

As I know, only the tcodes in MENU are considered but I have heard that the new SU25 (kernel 6.40 I suppose) is able to consider also the S_TCODE auths. I have done many checks (even using the SSM_CUST table with NEW_SU25_EXCHANGE ID and ssm_cust-path = YES), but only MENUS have been considered. Of course all this issue is relevant only if the MENU and S_TCODE are misaligned.

One other dilemma is: if S_TCODES auths are used, what happens when ranges and jolly char (*) are used ?

Many thanks for your help.

Andrea Cavalleri

2 REPLIES 2

manohar_kappala2
Contributor
0 Kudos
100

Hi,

Let me say I am not exactly sure. But what I feel is that it takes the entries only from AGR_TCODES, the reason being that some times there may be some internally calling transactions from one transaction. So as per the business process we add only that transaction only in S_TCODE rather than adding in directly in the menu as doing that might bring in more authorizations. Since if in SU25 if it refers to the AGR_1251 table then it would bring in unnecessary authorizations in some of the cases which is not a good thing to do as per security. So I feel tha the entries is based only on Menu rather than AGR_1251.

Please let me know if this explanation helps

0 Kudos
100

Hi,

I have never heard of SU25 being able to consider the S_TCODE entries. Normally, SU25 only considers the tcodes assigned to the menu. In my opinion, it would be a bad idea to consider S_TCODE entries that have been changed or manually inserted for a number of reasons.

For logic on how SU25 handles each relating authorisation object in the role, check out the topic